Bug#873439: [pkg-fgfs-crew] Bug#873439: flightgear: CVE-2017-13709: Incorrect access control

Mon, 28 Aug 2017 11:30:36 -0700 

Hi,

For stretch, the last two commits of upstream branch release/2016.4:

  https://sourceforge.net/p/flightgear/flightgear/ci/release/2016.4/~/tree/

should do the job (as already said in other mails, and ditto for
unstable with the release/2017.2 branch).

For jessie (it's also affected), I successfully built FG in a
jessie-amd64 pbuilder chroot with the attached source debdiff. You'll
certainly want to make the patch headers DEP-3-compliant and arrange
debian/changelog (at least the version number), but the C++ side should
be fine with these changes. I only tested the build in this old version:
no runtime test, but I don't expect any particular problem. :)

Regards

-- 
Florent

diff -Nru flightgear-3.0.0/debian/changelog flightgear-3.0.0/debian/changelog
--- flightgear-3.0.0/debian/changelog	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/changelog	2017-08-28 18:07:28.000000000 +0200
@@ -1,3 +1,13 @@
+flightgear (3.0.0-5+deb8u3+frougon0) jessie; urgency=high
+
+  * Add two patches for CVE-2017-13709:
+      - call-fgInitAllowedPaths-earlier-c7a2ae.patch (required by the next
+        patch)
+      - CVE-2017-13709-FGLogger-2a5e3d.patch
+  * The patch headers are not in the Debian DEP-3 format, this needs fixing.
+
+ -- Florent Rougon <f.rou...@free.fr>  Mon, 28 Aug 2017 18:07:28 +0200
+
 flightgear (3.0.0-5+deb8u2) jessie; urgency=high
 
   * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent
diff -Nru flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch
--- flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/call-fgInitAllowedPaths-earlier-c7a2ae.patch	2017-08-28 18:07:28.000000000 +0200
@@ -0,0 +1,55 @@
+Author: Florent Rougon <f.rou...@free.fr>
+
+    Call fgInitAllowedPaths() earlier: after Options::processOptions()
+
+    Call fgInitAllowedPaths() right after Options::processOptions() (which,
+    among other things, determines $FG_ROOT and processes
+    --allow-nasal-read). This way, fgInitAllowedPaths() can be used in much
+    more code, such as when initializing subsystems.
+
+    (cherry picked from commit c7a2aef59979af3e9ff22daabb37bdaadb91cd75)
+
+--- a/src/Main/fg_init.cxx
++++ b/src/Main/fg_init.cxx
+@@ -1023,7 +1023,12 @@
+     fgGetNode("/sim")->removeChild("aircraft-dir");
+     fgInitAircraft(true);
+     flightgear::Options::sharedInstance()->processOptions();
+-    
++
++    // Rebuild the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     render = new FGRenderer;
+     render->setEventHandler(eventHandler);
+     globals->set_renderer(render);
+--- a/src/Main/main.cxx
++++ b/src/Main/main.cxx
+@@ -461,7 +461,12 @@
+     } else if (configResult == flightgear::FG_OPTIONS_EXIT) {
+         return EXIT_SUCCESS;
+     }
+-    
++
++    // Set the lists of allowed paths for cases where a path comes from an
++    // untrusted source, such as the global property tree (this uses $FG_HOME
++    // and other paths set by Options::processOptions()).
++    fgInitAllowedPaths();
++
+     // Initialize the Window/Graphics environment.
+     fgOSInit(&argc, argv);
+     _bootstrap_OSInit++;
+--- a/src/Scripting/NasalSys.cxx
++++ b/src/Scripting/NasalSys.cxx
+@@ -800,9 +800,6 @@
+       .member("singleShot", &TimerObj::isSingleShot, &TimerObj::setSingleShot)
+       .member("isRunning", &TimerObj::isRunning);
+ 
+-    // Set allowed paths for Nasal I/O
+-    fgInitAllowedPaths();
+-    
+     // Now load the various source files in the Nasal directory
+     simgear::Dir nasalDir(SGPath(globals->get_fg_root(), "Nasal"));
+     loadScriptDirectory(nasalDir);
diff -Nru flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch
--- flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	1970-01-01 01:00:00.000000000 +0100
+++ flightgear-3.0.0/debian/patches/CVE-2017-13709-FGLogger-2a5e3d.patch	2017-08-28 18:07:28.000000000 +0200
@@ -0,0 +1,69 @@
+Author: Florent Rougon <f.rou...@free.fr>
+
+    Security: don't allow FGLogger to overwrite arbitrary files
+
+    Since the paths of files written by FGLogger come from the property
+    tree[1], they must be validated before we decide to write to these
+    files.
+
+    [1] Except for the "empty" case, which uses the default name
+        'fg_log.csv'.
+
+    This fixes CVE-2017-13709.
+
+    (cherry picked from commit 2a5e3d06b2c0d9f831063afe7e7260bca456d679)
+
+--- a/src/Main/logger.cxx
++++ b/src/Main/logger.cxx
+@@ -11,10 +11,14 @@
+ 
+ #include <fstream>
+ #include <string>
++#include <cstdlib>
+ 
+ #include <simgear/debug/logstream.hxx>
++#include <simgear/misc/sg_path.hxx>
+ 
+ #include "fg_props.hxx"
++#include "globals.hxx"
++#include "util.hxx"
+ 
+ using std::string;
+ using std::endl;
+@@ -55,6 +59,26 @@
+         child->setStringValue("filename", filename.c_str());
+     }
+ 
++    // Security: the path comes from the global Property Tree; it *must* be
++    //           validated before we overwrite the file.
++    const string authorizedPath = fgValidatePath(filename,
++                                                 true /* write */);
++
++    if (authorizedPath.empty()) {
++      const string propertyPath = child->getChild("filename")
++                                       ->getPath(true /* simplify */);
++      const SGPath proposedPath = SGPath(globals->get_fg_home()) / "Export";
++      const string msg =
++        "The FGLogger logging system, via the '" + propertyPath + "' property, "
++        "was asked to write to '" + filename + "', however this path is not "
++        "authorized for writing anymore for security reasons. " +
++        "Please choose another location, for instance in the $FG_HOME/Export "
++        "folder (" + proposedPath.str() + ").";
++
++      SG_LOG(SG_GENERAL, SG_ALERT, msg);
++      exit(EXIT_FAILURE);
++    }
++
+     string delimiter = child->getStringValue("delimiter");
+     if (delimiter.empty()) {
+         delimiter = ",";
+@@ -64,7 +88,8 @@
+     log.interval_ms = child->getLongValue("interval-ms");
+     log.last_time_ms = globals->get_sim_time_sec() * 1000;
+     log.delimiter = delimiter.c_str()[0];
+-    log.output = new std::ofstream(filename.c_str());
++    // Security: use the return value of fgValidatePath()
++    log.output = new std::ofstream(authorizedPath.c_str());
+     if (!log.output) {
+       SG_LOG(SG_GENERAL, SG_ALERT, "Cannot write log to " << filename);
+       continue;
diff -Nru flightgear-3.0.0/debian/patches/series flightgear-3.0.0/debian/patches/series
--- flightgear-3.0.0/debian/patches/series	2017-07-02 14:39:08.000000000 +0200
+++ flightgear-3.0.0/debian/patches/series	2017-08-28 18:07:28.000000000 +0200
@@ -6,3 +6,6 @@
 route-manager-secu-fix-280cd5.patch
 fix-missing-lX11-in-link-commands.patch
 restrict-save-flightplan-secu-fix-faf872.patch
+# Required for CVE-2017-13709-FGLogger-2a5e3d.patch
+call-fgInitAllowedPaths-earlier-c7a2ae.patch
+CVE-2017-13709-FGLogger-2a5e3d.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to